RPKI with Quagga

     A few weeks ago the NIST announced the BGP Secure Router Extension (BGP-SRx) Prototype, that basically makes it possible to use Quagga with RPKI 

    and origin-validation. So, after playing with the RPKI implementations from Cisco and Juniper we decided to take a look at it.

    The BGP-SRx implementation in quagga is a bit different that its counterparts (JunOS and IOS). You need two modules, one stand-alone server (SRx Server) to speaks RTR with the caches and the BGP-Quaggla-Plugin that connects with the SRx Server. Why you need two pieces of code instead of one plugin of RTR/Origin-validatio in Quagga? Well, according to the developers it simplifies the modifications that Quagga needs. It may be true, but it complicates a bit its implementation and troubleshooting.
    I used CenOS 6, RIPE NCC validator-cache for these tests and our RPKI Demo repository:
    The first step after getting the code is to compile the SRx Server, check the INSTALL file, there are some flags to set up. You will need to modify the server config (in a file /usr/local/bin/) with your cache parameters. After that you will be able to telnet the server to verify that it has received ROAs.
    The next step is to compile and configure Quagga. You need to copy some libraries from the SRx Server and compile with some flags to add the origin-validation. After that the configuration is pretty straight forward.
    router bgp 1
     bgp router-id
     neighbor remote-as 20
     !SRx Configuration Settigns
     srx display
     srx connect 17900
     srx evaluation roa_only
     srx keep-window 900
    This is very basic, I haven't played with policies to modify local preference according to the route validity but it gives you an idea.
    The BGP routing table looks like:
    bgpd# sh ip bgg
    BGP table version is 0, local router ID is
    Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
                  r RIB-failure, S Stale, R Removed
    Validation:    v - valid, u - unknown, i - invalid, ? - undefined
    SRx Status:    I - route ignored, D - SRx evaluation deactivated
    SRxVal Format: validation result (origin validation, path validation)
    Origin codes: i - IGP, e - EGP, ? - incomplete
       Ident    SRxVal SRxLP Status Network          Next Hop            Metric  LocPrf Weight Path
    *> B2E8F5E6 v(v,-)               0              0 20 i
    *> 093057FE i(i,-)               0              0 20 i
    *  -------- ?(?,-)          I                  0          32768 i
    *> D58A50E7 u(u,-)               0              0 20 i
    The ROA table is the same than in the JunOS example. As you can see is valid, is invalid and is unknown.
    The specific announce of one route looks like:
    bgpd# sh ip bgp
    BGP routing table entry for
    Paths: (1 available, best #1, table Default-IP-Routing-Table)
      Not advertised to any peer
        SRx Information:
          Update ID: 0xB2E8F5E6
            prefix-origin: valid
            path processing disabled! from (
          Origin IGP, metric 0, localpref 100, valid, external, best
          Last update: Wed Dec 31 22:38:17 1969
    We will keep working on this and soon we will be able to provide a virtual machine ready to use. Meanwhile you can download the code from NIST and if you have questions please feel free to contact us.